Having spent numerous years providing armed and unarmed physical security in combat zones, hospital emergency rooms, psychiatric wards, and anti-piracy operations off the coast of Somalia has given me a deep respect for force continuum and the dangers of unnecessarily provoking an escalation by a volatile and dangerous adversary.

As cyberattacks continue to plague American companies as well as the payment card industry, there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers. This is frequently referred to as ‘hacking back’ or ‘offensive hacking’. Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’. On May 28th, 2013 there was an online discussion in which an author of the upcoming book: The Active Response Continuum: Ethical and Legal Issues of Aggressive Computer Network Defense[1] posted the following excerpt:

“There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems.”[2] (emphasis added)(more…)

It’s the end of what has already been a tough year for data security. And the news just got worse. South Carolina has announced that its Department of Revenue suffered a major breach. The breach is so massive, in fact that more than 75% of the state’s residents have been affected. The compromised data consisted of the (unencrypted) social security numbers of more than 3.6 million residents. Also included in the breach were about 390,000 payment cards. Most of those were encrypted, though.

This is disturbing on a number of levels. I find it curious, for example, that while encryption was deployed, it was only deployed on payment cards (and not even on all of those). Consumers have built in protections on payment cards. As long as those cards are branded by one of the major card brands, consumers are protected against liability for fraudulent transactions. The far more sensitive data, the social security numbers, were not encrypted, though. This defies logic. Consumers have little to no protection against misuse of SSNs. Not only can very real financial damage be done, consumers have to spend enormous resources (time, money, emotions) in untangling the identity theft knot that comes with stolen SSNs.

Secondly, in the wake of the breach, Governor Nikki Haley issued an executive order that read: “I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies.” WHAT? If I’m inferring correctly, it seems that these agencies didn’t have an information technology officer already?? That is very troubling, particularly considering the types of data that state agencies hold. After 3.6 million (out of about 4.7 million) residents have had their sensitive data stolen is not a great time to decide that data security and privacy should become priority.

Private sector organizations have been working for years to shore up their data security, and in some cases (PCI DSS, HIPAA/HITECH, GLBA, SOX, state laws) face real consequences for failure to protect that data. It’s long past time states put forth the same level of protection. On the plus side, the state did comply nicely with its own data breach notification law.

There are currently over 45 state breach notification laws, several data protection laws, and numerous regulations including PCI DSS, HIPAA/HITECH, FISMA, and more. I frequently find myself working with companies on data breach notification plans. One of the more interesting (and heated) discussions comes when I ask them to define a “data breach” or “data compromise”. More interesting is when I ask them to define a “suspected data breach”. Visa’ rules state that “suspected” breaches must be reported within 24 hours of identification or there could be penalties. Consider the following example. You, as CSO, are informed of a malicious software outbreak in the customer service department. Does this require notification under the state breach notification laws, or relevant regulatory regimes? Maybe, maybe not. It is dependent upon a number of factors including access to data, data protections (ie. encryption), segmentation, the various laws etc. In short, it is not easy to decipher yet it is critical to be as accurate as possible.

Understanding what is, and what is NOT, a data breach or data compromise is the first step in defining your company’s data breach notification plan. The reason it is so critical is in the titled of this article. Once you notify that your company has been ‘breached’ you cannot ‘unring that bell’. The genie is out of the proverbial bottle and things start moving quickly. Most company’s would absolutely hate to make an announcement only to find that, while they may have experienced a security incident, it did not impact sensitive data (PII, CHD, NPI, PHI, etc.). It is important that you work with your compliance group, legal (don’t forget legal!), and the infosec & risk department to ensure you have a solid understanding of when, and under what conditions your company is required to notify of a breach or suspected breach. Here are some basic definitions to use as a starting point. (check with your legal council and don’t simply use these…there..that should protect me!;)

Security Incident/Event – Any event that compromises the availability, accessibility, or integrity of any asset. This includes systems, personnel, applications, services, etc.

Data Breach – Any exposure of or unauthorized access of sensitive and/or protected data to include PHI, PII, CHD, and NPI.

Suspected Data Breach- In the absence of direct evidence (identified fraud, or misuse of data, for example), any Security Incident in which it can be reasonable assumed that sensitive and/or protected data was exposed or accessed without authorization.

Remember, some state breach notification laws do not consider a breach of encrypted data as a trigger for notification…others do ;) If you need help unraveling these issues (insert shameless marketing plug)…contact Mark Consulting Group…www.MarkConsultingGroup.com

For those who like to use the popular photo sharing site Photobucket to share (ahem)..”private” pictures may want to take action immediately. According to an article on CNN, a privacy flaw in the way Photobucket allows users to share photos resulted in hackers gaining access to numerous R rated and even explicit photos of users. Photobucket allows users to share photos using direct links. This means that even if the user does not intend to share a photo, if a person can deduce the URL then the unencrypted file can be directly accessed. This is a hack known as “Fuscking” and it has been used to access numerous files. (more…)

One note. I apparently forgot to update my bio with the Editor in Chief so the article erroneously references me as the Executive Vice President of Data Security and Compliance for a payment processor. You can visit Mark Consulting Group at the following: www.MarkConsultingGroup.com